authentication

Web Services authentication - best practices?

We have SOAP web services in production that are relying on SOAP Headers (containing plain client credentials) for the authentication. The WS are used in heterogeneous environments with .NET/Java/PHP/Python/C++ clients both web app or desktop app. We are considering a v2 for those WS and I am wondering what are considered as the best pr...

Non-interactive authentication/authorization for XML-RPC?

We don't exactly comply with the XML-RPC spec, but the concepts are nearly identical. A client comes in over HTTP/HTTPS with an XML payload. We respond with an XML payload answering the request. This is primarily machine to machine, so no human to type a username/password. Our construct runs within apache tomcat. We would like to au...

Can CLIENT-CERT auth-method be used with a JDBC realm within tomcat?

The JDBC realm specifies a table structure for authentication which contains the columns defined by the attributes userNameCol and userCredCol. These correspond to user and password which makes sense for FORM or BASIC auth-methods. They are interactive and require these two pieces from the client's user. What comes back from the cert...

How to get the asp.net login control to auto authenticate a previously authenticated user?

I am trying to to set up the login control to remember the login credentials of a user who has previously entered their user name and password successfully. I set the remember me property to true, but it doesnt seem to triger any events where I could read the cookie and auto login the user. Is there a straightforward mechanism to accom...

How can I audit passwords in powershell?

I'd like to enumerate domain accounts and try authenticating as each with a limited set of passwords. The issue is that I can't find any way to attempt to validate credentials without "doing" something (e.g. querying wmi with impersonation) which isn't useful as the account may or may not have the ability to connect via wmi in the firs...

Very slow response for Visual Studio 2005 Web Site Administration Tool

I am working on an ASP.NET application and am trying to add user authentication. As a first step, I am using the Web Site Administration tool (Website | ASP.NET Configuration) to manage users and permissions. Accessing this website is incredibly slow. To load the main page takes 30 seconds. When navigating to the Security page (also ...

Unauthorized Sharepoint WSDL from Coldfusion 8

How do I solve the error: Unable to read WSDL from URL: https://workflowtest.site.edu/_vti_bin/Lists.asmx?WSDL. Error: 401 Unauthorized. I can successfully view the WSDL from the browser using the same user account. I'm not sure which authentication is being used (Basic or Integrated). How would I find that out? The code making...

Can you get a Windows (AD) username in PHP?

I have a PHP web application on an intranet that can extract the IP and host name of the current user on that page, but I was wondering if there is a way to get/extract their Active Directory/Windows username as well. Is this possible? ...

IIS Returning Old User Names to my application

Here's my scenario. I created an application which uses Integrated Windows Authentication in order to work. In Application_AuthenticateRequest(), I use HttpContext.Current.User.Identity to get the current WindowsPrincipal of the user of my website. Now here's the funny part. Some of our users have recently gotten married, and their n...

Authenticating in PHP using LDAP through Active Directory

I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success? Edit: I'd prefer a library/class with code that's ready to go... It'd be silly to invent the wheel when some...

How to implement Querystring authentication

I’m developing a website of a client and they are sending out newsletters to their customers (through the website administration interface) The newsletters are personal to each of the subscribed recipients/customers. Each recipient/ customer is also a user with a username/password that enables them to sign in on the website and manage t...

Return to referring page

I am using an authentication attribute on some of my actions in an asp.net mvc page to refer people to a login screen if they have not authenticated. My problem is returning them to the referring page after they have logged in. I was just keeping track of the referring action and referring controller but that becomes problematic when I...

WCF Custom Http Proxy Authentication

Is it possible to provide WCF with a custom proxy address and custom credentials? I've found this answer on stackoverflow: http://stackoverflow.com/questions/105499/how-to-set-proxy-with-credentials-to-generated-wcf-client, but I've got a complication, the service I'm authenticating against uses its own authentication, so I've got to u...

How to use Python to login to a webpage and retrieve cookies for later usage?

Hi! I want to download and parse webpage using python, but to access it I need a couple of cookies set. Therefore I need to login over https to the webpage first. The login moment involves sending two POST params (username, password) to /login.php. During the login request I want to retrieve the cookies from the response header and stor...

WCF transport security with no authentication

Is it possible to have transport security without authentication? I'm well aware of it's flaws but atm I can't install a certificate a the client side. It seems I can set WSHttpBinding.SecurityMode to Transport and the ClientCredentialType to HttpClientCredentialType.None, but when I try to call the service I get this exception: An erro...

How to grab AD credentials from client machine in a web application.

Is it possible to grab activedirectory credentials for the user on a client machine from within a web application? To clarify, I am designing a web application which will be hosted on a client's intranet. There is a requirement that the a user of the application not be prompted for credentials when accessing the application, and that i...

Users Authentication in ASP.NET

Hey everyone, I was wondering, what's the best approach in creating users authentication for my asp.net-mvc web application. Should I use the Forms authentication using a custom MembershipProvider ? Or should I implement my own login and registration mechanism for my users? ...

DoubleRenderError in restful_authentication with acts_as_state_machine when activating users.

In a project which uses restful_authentication with acts_as_state_machine and email activation, I get a double render error whenever a user does the activation action from the email link. I'm using the default def activate self.current_user = params[:activation_code].blank? ? false : User.find_by_activation_code(params[:activation_c...

ASP.Net AJAX WCF Authentication Services and Session Timeout

Our Web application uses the ASP.Net AJAX Authentication Services to perform login/logout. Everything works great if the login/logout actions are initiated from client side via JavaScript. Question: When the session times out how do I call the AuthenticationService.Logout function from the SessionEnd event? Looking for a simple clean...

How would you implement salted passwords in Tomcat 5.5

My web application is relying on container-managed security and I'm wondering if it's possible to use salted passwords at all. As far as I can tell it's easy enough to store digested passwords in a database by just configuring a JDBC or DataSource Realm, but there's no way to add a salt to those digest. Any suggestions? Edit: it seems...